Header graphic for print

Government Contractor Compliance & Regulatory Update

OFCCP Announces New Veteran Hiring Benchmark

Posted in OFCCP

The OFCCP has announced its 2017 Vietnam Era Veterans’ Readjustment Assistance Act (VEVRAA) Benchmark. The new benchmark is 6.7%, slightly lower than the previous year’s 6.9% benchmark.

The VEVRAA Benchmark is the figure which federal contractors must use to assess the effectiveness of their outreach programs for the hiring of veterans. Contractors may either use the OFCCP’s national benchmark, or establish their own benchmark using applicable statistics and other metrics set forth in OFCCP’s regulations (41 CFR §60-300.45(b)(2)).

BREAKING: Blacklisting Rule Is Officially and Completely Dead

Posted in Federal Acquisitions, Federal Contractors

Yesterday (March 27, 2017), President Trump signed into law a Congressional Joint Resolution of Disapproval (the “Resolution”), revoking the rules implementing the controversial Fair Pay and Safe Workplaces Executive Order, better known as the Blacklisting Rule.  The same day, President Trump issued a new Executive Order – The “Presidential Executive Order on the Revocation of Federal Contracting Executive Orders” – officially revoking the Fair Pay and Safe Workplaces Executive Order.

As federal contractors are well-aware, the Blacklisting Rule required federal contractors to disclose various “violations” of labor laws to the federal government, imposed new paycheck transparency obligations, created new employee arbitration restrictions, and imposed new independent contractor notification requirements.  Most of these requirements had been enjoined by a federal judge in October 2016, but some of the provisions – specifically, the paycheck transparency and independent contractor notification provisions – remained untouched by the ruling and went into effect January 1, 2017.

To revoke the Blacklisting Rule, Congress utilized the little-used Congressional Review Act (the “CRA”), which allows Congress to review new federal regulations and overrule them by passing a joint resolution within a certain period of time after the regulation is transmitted to Congress.  The CRA had only been used once before to successfully revoke a regulation.  The Resolution passed in the House of Representatives on a 236-187 vote on February 2, 2017.  On March 6, 2017, the Senate passed the Resolution by a narrow 49-48 margin.

With President Trump’s signature and implementation of his own Executive Order, the Rule has met its complete demise.

Renewed OFCCP Voluntary Self-Identification of Disability Form Now Available

Posted in Federal Contractors, OFCCP

Earlier today, the Office of Federal Contract Compliance Programs (OFCCP) announced that the Office of Management and Budget renewed the voluntary self-identification form for individuals with disabilities for an additional three years. This renewed Voluntary Self-Identification of Disability form is exactly the same as the prior form, except that it has a new expiration date of January 31, 2020.  Even so, federal contractors should start using this renewed form immediately.

The Voluntary Self-Identification of Disability form invites job applicants and employees voluntarily to self-identify as being an individual with a disability. The information collected on the self-identification form should be used by covered federal government contractors in determining that they have satisfied the utilization goal established by OFCCP and in conducting data analytics in connection with their affirmative action plans.

Trump Administration Will Retain LGBT Protections for Government Contractor Employees

Posted in Discrimination, OFCCP

Although the first eleven days of the Trump Administration have been full of activity and controversy, federal government contractors have been waiting to see if President Trump will undo or modify the compliance obligations imposed on them through the numerous Executive Orders issued by President Obama.

This morning (January 31, 2017) the White House announced plans with respect to one of those Executive Orders: Executive Order 11478 (the “Order”), which added sexual orientation and gender identity to the classes protected by Executive Order 11246.  According to the statement, the Order “will remain intact at the direction of President Trump.”  The announcement came the day after the press reported that the Trump Administration was contemplating overturning the Order or adding religious-freedom provisions.  The statement made today is silent on the latter point.

You can find our prior blog posts about the Order and its implementing regulations here and here .

The Department Of Homeland Security Proposes New Rules Affecting Federal Government Contractors

Posted in Employment Law

This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by various federal agencies to strengthen safeguarding requirements for sensitive government information.  Given the increasing emphasis on data security and privacy, contractors and subcontractors are well advised to familiarize themselves with these new requirements and undertake a careful review of their current data security and privacy procedures to ensure they comply.

  • Privacy Training

DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information and/or Sensitive Personally Identifiable Information; or designing, developing, maintaining, or operating a Government system of records. DHS proposes including this training requirement in the Homeland Security Acquisition Regulation (“HSAR”) and to make the training more easily accessible by hosting it on a public website.  By including the rule in the HSAR, DHS would standardize the obligation across all DHS contracts.  The new rule would require the training to be completed within thirty days of the award of a contract and on an annual basis thereafter.

DHS invites comment on the proposed rule. In particular, DHS asks commenters to offer their views on the burden, if any associated with the requirement to complete DHS-developed privacy training.  DHS also asks whether the industry should be given the flexibility to develop its own privacy training.  Comments must be submitted on or before March 20, 2017.

  • Information Technology Security Awareness Training

DHS currently requires contractor and subcontractor employees to complete information technology security awareness training before accessing DHS information systems and information resources. DHS proposes to amend the HSAR to require IT security awareness training for all contractor and subcontractor employees who will access (1) DHS information systems and information resources or (2) contractor owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (“CUI”) (defined below).  DHS will require employees to undergo training and to sign DHS’s Rules of Behavior (“RoB”) before they are granted access to those systems and resources.  DHS also proposes to make this training and the RoB more easily accessible by hosting them on a public website.  Thereafter, annual training will be required.  In addition, contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.

Through this proposed rule, DHS intends to require contractors to identify employees who will require access, to ensure that those employees complete training before they are granted access and annually thereafter, to provide to the government and maintain evidence that training has been conducted. Comments on the proposed rule are due on or before March 20, 2017.

  • Safeguarding of Controlled Unclassified Information

DHS’s third proposed rule will implement new security and privacy measures, including handling and incident reporting requirements, in order to better safeguard CUI. According to DHS, “[r]ecent high-profile breaches of Federal information further demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.”  Accordingly, the proposed rule – which addresses specific safeguarding requirements outlined in an Office of Management and Budget document outlining policy on managing government data – is intended to “strengthen[] and expand[]” upon existing HSAR language.

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.” The new safeguarding requirements, which apply to both contractors and subcontractors, include mandatory contract clauses; collection, processing, storage, and transmittal guidelines (which incorporate by reference any existing DHS policies and procedures); incident reporting timelines; and inspection provisions. Comments on the proposed rule are due on or before March 20, 2017.

  • Other Recent Efforts To Safeguard Contract Information

DHS’s new rules follow a number of other recent efforts by the federal government to better control CUI and other sensitive government information.

Last fall, for example, the National Archives and Record Administration (“NARA”) issued a final rule standardizing marking and handling requirements for CUI. The final rule, which went into effect on November 14, 2016, clarifies and standardizes the treatment of CUI across the federal government.

NARA’s final rule defines “CUI” as an intermediate level of protected information between classified information and uncontrolled information.  As defined, it includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings.  The final rule also makes an important distinction between two types of systems that process, store or transmit CUI:  (1) information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”; and (2) other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI.

Although the final rule directly applies only to federal agencies, it directs agencies to include CUI protection requirements in all federal agreements (including contracts, grants and licenses) that may involve such information.  As a result, its requirements indirectly extend to government contractors.  At the same time, however, it is likely that some government contractor systems will fall into the second category of systems and will not have to abide by the final rule’s restrictions.  A pending FAR case and anticipated forthcoming FAR regulation will further implement this directive for federal contractors.

Similarly, last year the Department of Defense (“DOD”), General Services Administration, and the National Aeronautics and Space Administration issued a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”  The provision adds a number of new information security controls with which contractors must comply.

DOD’s final rule imposes a set of fifteen “basic” security controls for covered “contractor information systems” upon which “Federal contract information” transits or resides.  The new controls include: (1) limiting access to the information to authorized users; (2) limiting information system access to the types of transactions and functions that authorized users are permitted to execute; (3) verifying controls on connections to external information systems; (4) imposing controls on information that is posted or processed on publicly accessible information systems; (5) identifying information system users and processes acting on behalf of users or devices; (6) authenticating or verifying the identities of users, processes, and devices before allowing access to an information system; (7) sanitizing or destroying information system media containing Federal contract information before disposal, release, or reuse; (8) limiting physical access to information systems, equipment, and operating environments to authorized individuals; (9) escorting visitors and monitoring visitor activity, maintaining audit logs of physical access, and controlling and managing physical access devices; (10) monitoring, controlling, and protecting organizational communications at external boundaries and key internal boundaries of information systems; (11) implementing sub networks for publically accessible system components that are physically or logically separated from internal networks; (12) identifying, reporting, and correcting information and information system flaws in a timely manner; (13) providing protection from malicious code at appropriate locations within organizational information systems; (14) updating malicious code protection mechanisms when new releases are available; and (15) performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

“Federal contract information” is broadly defined to include any information provided by or generated for the federal government under a government contract.  It does not, however, include either:  (1) information provided by the Government to the public, such as on a website; or (2) simple transactional information, such as that needed to process payments.  A “covered contractor information system” is defined as one that is:  (1) owned or operated by a contractor; and (2) “possesses, stores, or transmits” Federal contract information.

EFFECTIVE TODAY: FAR Barring Certain Contractor Confidentiality Agreements

Posted in Federal Acquisitions

Today (January 19, 2017), the Employee Internal Confidentiality Agreements or Statements Federal Acquisition Regulation (the “Rule”) goes into effect.  The Rule prohibits the government from contracting with companies that require employees or subcontractors to sign “internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or subcontractors from lawfully reporting such waste, fraud, or abuse to a designated investigative or law enforcement representative of a Federal department or agency authorized to receive such information.”  The commentary to the Rule explains that “designated” representatives are employees of the applicable agency’s Office of Inspector General.  The Rule applies to all solicitations and contracts (including contracts for Commercial Off-the-Shelf items (“COTS”)) using fiscal year 2015 funds or funds from any subsequent fiscal year.

Going forward, contractors will be required to certify in connection with bids on new contracts or maintenance of existing contracts, that they have no non-compliant confidentiality agreements and will not enter into any non-compliant confidentiality agreements with their employees and subcontractors.  If the contractor represents that it has non-compliant agreements currently in effect, the contractor is ineligible for the new contract.

Excluded from the Rule are “confidentiality agreements arising out of civil litigation and confidentiality agreements that contractor employees or subcontractors sign at the behest of a Federal agency.”  Thus, contractors need not be concerned about settlements entered into during litigation or federally-mandated confidentiality agreements.

Key Takeaways

Contractors should immediately review their existing employee and subcontractor confidentiality agreements to ensure compliance.  To the extent any non-compliant confidentiality agreements exist, contractors should, consistent with guidance in the Rule, issue a notice to existing employees and subcontractors that such agreements, to the extent they conflict with the Rule, are no longer in effect, and have employees and subcontractors sign compliant confidentiality agreements.

Governor Cuomo Signs Executive Order Requiring State Contractors To Report Job Title And Pay Data

Posted in Employment Law, Labor Law

On January 9, 2017, New York Governor Andrew Cuomo signed an Executive Order that requires state contractors to disclose, in addition to data on gender, race, and ethnicity that is already required, job title and salary data for all of their employees working on state contracts (or their entire workforce if those working on state contracts cannot be identified). The Order, “Ensuring Pay Equity By State Contractors,” compels state contractors to disclose this data for all state contracts, agreements, and procurements issued and executed on or after June 1, 2017. Continue Reading

OFCCP Sues Google, Seeking Pay Data

Posted in OFCCP

On January 4, 2017, the Office of Federal Contractor Compliance Programs (OFCCP) sued Google, claiming that the tech giant is illegally withholding information about the compensation it provides its employees.  OFCCP seeks the information as part of an ongoing review of Google’s compliance with the various equal protection laws enforced by the OFCCP.

Continue Reading

Effective January 1, 2017: New Federal Contractor Paycheck Transparency, Independent Contractor Notice, and Paid Sick Leave Obligations

Posted in Department of Labor, Federal Acquisitions, Federal Contractors, OFCCP

On January 1, 2017, new federal contract paycheck transparency, independent contractor notification, and paid sick leave requirements go into effect.  Below we summarize the key elements of these new regulatory requirements.

Continue Reading

Thomas M. Dowd Named OFCCP’s Acting Director

Posted in OFCCP

With Patricia Shiu stepping down as Director of the Office of Federal Contractor Compliance Programs (“OFCCP”) on November 6, 2016, Thomas M. Dowd has been named OFCCP’s Acting Director, effective November 7, 2016.  He will serve until the new Trump Administration’s Secretary of Labor names a permanent director.

Mr. Dowd previously served as OFCCP’s career Deputy Director since 2011.